secure routing in multi-hop wireless networks (i)

Security and Cooperation in Wireless NetworksSecurity and Cooperation in Wireless Networks Georg-August University Göttingen

Secure routing in multi-hop wireless Secure routing in multi-hop wireless networks (I)networks (I)

ad hoc network ad hoc network routing protocols;routing protocols;

attacks on routing;attacks on routing;

countermeasures;countermeasures;

Georg-August University GöttingenSecure routing in multi-hop wireless networks

outline

1 Routing protocols for mobile ad hoc networks2 Attacks on ad hoc network routing protocols3 Security countermeasures for ad hoc network routing protocols

2


Ad hoc network routing protocols

topology-based protocols– Proactive:

• Every node knows a route to all other nodes at any time– distance vector based (e.g., DSDV)– link-state (e.g., OLSR)

• Requires periodic exchange of routing information among the nodes• If only few pairs of nodes communicate to each other, then most of

the periodically exchanged information is useless (never used)• But since the routes are always available and up-to-date, packets can

be sent with no routing delay (no need to wait until a route is found)

– reactive (on-demand):• A route is established between a source and a destination

only when needed– distance vector based (e.g., AODV)– source routing (e.g., DSR)

• Nodes use their resources to find routes only when there are data packets to be sent

3


Ad hoc network routing protocols

– hybrid approaches• Try to combine the advantages of reactive and proactive routing

protocols • Use proactive approach to maintain routes from a node to its

local neighborhood (e.g. up to certain number of hops) and use reactive approaches when routes to far away nodes are required

position-based protocols– Use location information of the nodes to route data packets

• greedy forwarding (e.g., GPSR, GOAFR)• restricted directional flooding (e.g., DREAM, LAR)

– Each node is aware of its own location and obtains the location information of other nodes via a location service provided by the nodes in a distributed manner

– The sender obtains the location information of the destination node and puts it in the data packet; each intermediate node makes routing decisions based on its own location and the location of the destination node

4


Example: Dynamic Source Routing (DSR)

DSR is an on-demand source routing protocol

As in any other on-demand routing protocol it has two components:– route discovery

• used only when source node attempts to send a packet to the destination node

• based on flooding of Route Requests (RREQ) and returning Route Replies (RREP)

– route maintenance• makes the source node able to detect route errors, e.g., if

a link along that route no longer works (usually because of nodes’ movement)

5


DSR Route Discovery

Assume that node A has some data packets to send to node H and has no route to it in its routing table it initiates and broadcasts a RREQ message; a RREQ carries a request identifier (to prevent

other nodes from proceeding the same RREQ more than once), the IDs of A and H and an empty list of forwarding nodes

Each intermediate node adds its ID to the list until the RREQ is received by H and will be replied by a RREP message

6


DSR Route Discovery

Node A wants to transmit some data packets to node H. It initiates a RREQ packet which will be broadcasted by the

nodes who receive it. When node H receives the RREQ it initiates a RREP packet. H copies the recorded list of identifiers from the RREQ to the

RREP.

7

A

B

C

D

E

F

G

H

A *: [RREQ, id, A, H; ()]B *: [RREQ, id, A, H; (B)]C *: [RREQ, id, A, H; (C)]D *: [RREQ, id, A, H; (D)]E *: [RREQ, id, A, H; (E)]F *: [RREQ, id, A, H; (E, F)]G *: [RREQ, id, A, H; (D,G)]( )

( )( )

( )

(D)

(E)

(D, G)

(E, F)

H A: [RREP, <source route>; (E, F)]


DSR Route Discovery

<source route> is the route used to send the packet back to A which could be obtained:

– from the route cache of H (means if H already had a route to A in its route cache)

– by reversing the route received in the RREQ• works only if all the links along the discovered

route are bidirectional• IEEE 802.11 assumes that links are bidirectional

– by executing a route discovery from H to A• discovered route from A to H is piggy backed to

avoid infinite recursion

8


DSR Route Maintenance

DSR requires each intermediate node to make sure that the data packet that it is forwarding reaches the next hop:– Data link layer acknowledgements can be used; or

overhearing the transmission of the packet by next intermediate node

If no acknowledgement arrives for a given packet, the intermediate node tries to re-transmit the packet

If still no acknowledgement arrives for that packet, the intermediate node generates a route error message and sends it to the source of the packet

The source and the other intermediate nodes who forward the error message would invalidate the routes that contain this broken link

9


Example: Ad-hoc On-demand Distance Vector routing (AODV) on-demand distance vector routing

the nodes maintain routing tables A RREQ contains: IDs of the sender and the

destination, a hop count, a packet identifier, two sequence numbers: current sequence number of the source and the last known sequence number of the destination– Each node has a single sequence number which is incremented

after each detected change in the node’s neighbor set – A RREQ with an already seen packet identifier would be

discarded (duplicate RREQ)

uses sequence numbers to ensure loop-freedom and to detect out-of-date routing information

10


Ad-hoc On-demand Distance Vector routing (AODV) sequence numbers help to:

1. avoid using old/broken routes• To determine which route is newer

2. prevent formation of loops:• How the sequence numbers can prevent loops in the rotes?

3. Example:4. A had a route to D initially: A-B-C-D5. Assume link C-D gets broken, but A does not know about failure of link C-D (because

for example the RERR (route error packet) sent by C is lost)6. Then assume node C performs a route discovery for D. 7. Node A receives the RREQ of C (for example via path C-E-A)8. Node A will generate a RREP because A knows a route to D via node B9. As the results a loop is created (C-E-A-B-C ): i.e. if C sends data packets to D using the

route that it just found, the data packets will be forwarded over and over in the loop10. If sequence numbers were used, the sequence number of the destination D in the

RREQ packet initiated by C would be greater than the one stored in the routing table of A (for the route A-B-C-D) as the second one belongs to an old route.

11


Ad-hoc On-demand Distance Vector routing (AODV) When an intermediate node receives a RREQ:

– If the packet is duplicate packet discarded – Otherwise, if the node has no valid entry for that destination

in its routing table or has an entry with a sequence number smaller than the destination sequence number in the RREQ increment the hop count and re-broadcast the RREQ

– If it has an entry for that destination in its routing table with a sequence number at least as large as the destination sequence number in the RREQ or the node is the destination generate a RREP

When a RREQ or RREP message is received, besides processing the packet, an intermediate node would create or update a route entry for the source (in the case of receiving a RREQ) or for the destination node (in the case of receiving a RREP)

12


Ad-hoc On-demand Distance Vector routing (AODV) a routing table entry contains the following:

– destination identifier– number of hops needed to reach the destination– identifier of the next hop towards the destination– destination sequence number– list of precursor nodes (that may forward packets

to the destination via this node)

13


AODV Route Discovery illustrated

14

A

B

C

D

E

F

G

H

A *: [RREQ, id, A, H, 0, snA, snH]B *: [RREQ, id, A, H, 1, snA, snH]C *: [RREQ, id, A, H, 1, snA, snH]D *: [RREQ, id, A, H, 1, snA, snH]E *: [RREQ, id, A, H, 1, snA, snH]F *: [RREQ, id, A, H, 2, snA, snH]G *: [RREQ, id, A, H, 2, snA, snH]

H F: [RREP, A, H, 0, sn’H]F E: [RREP, A, H, 1, sn’H]E A: [RREP, A, H, 2, sn’H]

(A, 0, -, -, snA)

(A, 0, -, -, snA)

(A, 0, -, -, snA)

(A, 0, -, -, snA)

(A, 1, D, -, snA)

(A, 1, E, -, snA)

(A, 2, F, -, snA)

(H, 0, -, E, sn’H)

(A, 1, E, H, snA)(H, 1, F, A, sn’H)

(A, 0, -, F, snA)(H, 2, E, -, sn’H)


Proactive routing protocols

Link-state protocols:– Each node periodically broadcasts the state of its links – such messages are propagated through the whole network and

so every node gets aware of the link-state information of every other nodes and therefore the topology of the whole network

– Then centralized shortest path algorithms can be used locally at each node to calculate the shortest route to any destinations

Distance-vector based protocols– Each node periodically send its current routing table to its

neighbors– As each node receives the routing information of its neighbors,

it can use them to find better (shorter) routes to some destinations than the routes it already has in its routing table

– By repeating the routing table exchange and routing table update steps, the system would converge to a stable state, where each routing table contains correct routing information

15


Position-based routing protocols

In position-based routing protocols there is no route discovery phase and, instead, the data packets are directed to the destination using location information available

nodes are aware of their own positions and that of their neighbors

The source node includes the position of the destination in the packet header of the data packets

The intermediate nodes would route the packet toward the destination based on their own location and the destination’s location

16


Position-based greedy forwarding

Examples of Position-based greedy forwarding– Most Forward within Radius (MFR): the node forwards the

packet to its closest neighbor to the destination– Nearest with Forward Progress (NFP): to the nearest neighbor

among the ones closer than the forwarding node to the destination

– Compass forwarding: to the neighbor who is closest to the straight line between the forwarding node and the destination– Random forwarding: a random neighbor among the ones who are closer than the forwarding node to the destination

17

compass

MFR

NFP

source

destination


outline


18


Attacks on routing protocols

general objectives of attacks– increase adversarial control over the communications

between some nodes;– degrade the quality of the service provided by the network;– increase the resource consumption of some nodes (e.g., CPU,

memory, or energy).

adversary models– insider adversary

• Controls some nodes in the network – As the nodes in ad hoc networks are not physically protected, they

may be captured by the adversary– Such nodes are called adversarial nodes

– outsider adversary • Attacks the communication of some nodes

– Eavesdropping, jamming, injecting fabricated of replayed packets into the network

19



attack mechanisms– eavesdropping, replaying, modifying, and deleting

control packets– fabricating control packets containing fake routing

information (forgery)– fabricating control packets under a fake identity

(spoofing)– dropping data packets (attack against the

forwarding function)– wormholes and tunneling– rushing

20



types of attacks– route disruption: the adversary prevents two nodes from

discovering a route between them• E.x. if the adversary controls the nodes on the vertex-cut in the

network who drop all the control packets (route discovery packets) sent from one part of the network to the other part;

• Or if the adversary forges route error messages it can invalidate the correct routing state in the victim nodes

• In the following example, the attacker performs tunneling attack against routing protocol. It means the attacker tunnels the RREQ packet from the source to an area near the destination before the RREQ packet propagates through the network to that area.

Therefore, later when the nodes in that area receive the RREQ through the intermediate nodes, they would drop it as duplicate RREQ.

The result is that no legitimate route is discovered --> source and destination would be connected through wormhole.

21


Example: Route disruption in DSR with rushing

22

wormhole

source

destination



– route diversion: • The adversary tries to divert routes such that they contain a

node it controls or a link it can observe• Then the adversary can modify or eavesdrop the packets sent

by the nodes• One way of diverting routes is by setting up tunnels: routes

going through the tunnel appear to be shorter, therefore:– used by many pairs of communicating nodes and the adversary can

access their communication easier – The nodes close to the end of tunnel receive lots of packets and

they should consume more resources

• Another aim of doing route diversion by the adversary could be increasing the length of discovered routes to increase latency and decrease quality of service

• Route diversion can be performed by forging or manipulating control packets, e.g. in source routing protocols the attacker can change the list of nodes on the RREP message

23



creation of incorrect routing state:– this attack aims at jeopardizing the routing state in some

nodes so that the state appears to be correct but, in fact, it is not

• data packets routed using that state will never reach their destinations

– the objective of creating incorrect routing state is • to increase the resource consumption of some nodes• the victims will use their incorrect state to forward data

packets, until they learn that something goes wrong• to degrade the quality of service

– can be achieved by • spoofing, forging, modifying, or dropping control packets

24


Example: Creation of incorrect routing state in DSR

25

A

attackerB

C

D

E

F

G

H

A *: [RREQ, id, A, H; ()]B A: [RREP, <src route>, A, H; (D, F)]

H: (D, F)

• Route (A, D, F, H) does not exist !• The packets will be dropped when reaching the first non-existing link!


Example: Creation of incorrect routing state in AODV

26

E (C) F: [RREP, A, H, 2, sn’H]E (D) C: [RREP, A, H, 2, sn’H]E (B) D: [RREP, A, H, 2, sn’H]E (F) B: [RREP, A, H, 2, sn’H]

(A, 0, -, -, snA)

(H, 3, C, B, sn’H)

(A, 1, B, C, snA)

A H

B

CD

E

(A, 1, B, -, snA)

(A, 1, B, -, snA)

(H, 3, B, A, sn’H)

(A, 0, -, B, snA)

F

(H, 3, D, B, sn’H)

(A, 1, B, D, snA)

(A, 0, -, -, snA)

(H, 3, F, A, sn’H)

(A, 0, -, F, snA)

• Creation of a routing loop.• Some packets will be forwarded in a cycle until their hop-count reaches the max. allowed value and then are discarded.


Generation of extra control traffic

generation of extra control traffic:– Injecting spoofed control packets into the network– aiming at increasing resource consumption due to

the fact that such control packets are often flooded in the entire network

Position-based routing protocols seem to be more resistant to this attack, because they use no control packets– But the attacker can send forged or spoofed

location update messages to the location service which will be distributed among some nodes in the network and generate some extra control packets.

27


Setting up a gray hole

creation of a gray hole:– an adversarial node selectively drops data packets

that it should forward– the objective is

• to degrade the quality of service– packet delivery ratio between some nodes can decrease

considerably

• to increase resource consumption– wasting the resources of those nodes that forward the

data packets that are finally dropped by the adversary

– implementation is trivial• adversarial node participates in the route

establishment• when it receives data packets for forwarding, it drops

them28


outline


29


Countermeasures

authentication of control packets

protection of mutable information in control packets

detecting wormholes and tunnels

combating gray holes

30


Authentication of control packets

questions:– Who should authenticate the control packets?– Who should be able to verify authenticity?

control packets should be authenticated by their originators– using MACs or digital signatures by the source node

authenticity should be verifiable by the target of the control packet

moreover, each node that updates its routing state as a result of processing the control packet must be able to verify its authenticity

each node that processes and re-broadcasts or forwards the control packet must be able to verify its authenticity

as it is not known in advance which nodes will process a given control packet, we need a broadcast authentication scheme

31


Protection of mutable information in control packets often, intermediate nodes add information to the control

packet before re-broadcasting or forwarding it (hop count, node list, etc.)

this added information is not protected by control packet origin authentication

each node that adds information to the packet should authenticate that information in such a way that each node that acts upon that information can verify its authenticity– using MACs or digital signatures by the forwarding node at each

hop:• E.g. intermediate nodes’ IDs added to the RREQ, is signed by

the node who adds that data– one problem is the increasing size of the signatures when the

number of hops increases

32


detecting wormholes and tunnels

– Tunnels are similar to wormholes• In tunneling, like in wormhole attacks, the two ends of the

attack look to be neighbors, so the effect of these two attacks on routing is similar

• In tunneling two far away adversarial nodes encapsulate control packets as normal data packets and send to each other

• They use the routing facilities of the network for sending packets

• Wormhole happens in physical layers and does not require that the adversary controls or owns nodes in the network

• In tunneling attack, the adversary should have two addressable nodes present at the routing layer

– Some wormhole detection approaches could be adopted to tunneling attacks

33


Combating gray holes

two approaches:• use multiple, preferably disjoint routes (multi-

path)– Even if the data packets can not reach the destination

through some routes they will be received using other routes– increased robustness– but also increases resource consumption

• detect and react– monitor neighbors (to see if they forward the packet they

received to forward) and identify misbehaving nodes– use routes that avoid those misbehaving nodes– For this purpose reputation reports about nodes can be

spread in the network to build trust values

34

secure routing in multi-hop wireless networks (i)

Documents